Companies face the challenge to stay compliant with a multitude of diverse regulations and internal policies. Each region has its own unique regulatory requirements, which are not limited solely to financial compliance. Global companies not only need to adhere to their own country’s regulatory mandates, but also to regulatory mandates of any country in which they do business. In most compliance environments, each initiative is managed separately, not only by different individuals, but also by different systems and procedures. This results in the following issues: 

• Lack of management confidence due to non-standardized procedures and reporting
• Duplication of efforts due to redundant evaluations and tests
• Inconsistent master data maintained in multiple systems
• Higher IT costs with multiple systems to maintain and support
• Slow time-to-compliance as new systems need to be procured, data maintained, and users trained
• Manual documentation such as spreadsheets or other paper-based solutions
• Limited oversight across all compliance initiatives from a global perspective

A multiple compliance framework (MCF) solution can overcome these issues. Using a single solution that can handle several different compliance and policy mandates increases both efficiency and effectiveness. Using an MCF helps to eliminate the duplication of efforts and simplify the management of compliance initiatives by using common master data across the entire environment. A single solution reduces the amount of IT hardware needed and the cost of powering and maintaining servers. It also reduces the cost of training users on multiple systems and multiple processes.

SAP BusinessObjects Process Control 3.0 comes with an MCF that includes the following capabilities: 

• Central master data catalog shared across compliance initiatives
• Shared surveys, manual test plans, and automated controls to reduce efforts when performing assessments, compliance testing, and continuous monitoring
• Results from evaluations can be referenced from multiple compliance initiatives instead of repeating them
• Common compliance processes and reporting within and across compliance initiatives

I will cover how the MCF in SAP BusinessObjects Process Control is used from a business user perspective and how a new regulation is set up in the system. As an example I will use a compliance initiative for the Japanese version of Sarbanes-Oxley (JSOX). For a high-level overview of SAP BusinessObjects Process Control, refer to my prior article on a risk-based internal control system.

Using the MCF

The SAP BusinessObjects Process Control portal user interface contains tabs for the Global Compliance Office (GCO) and for each compliance initiative or regulation set up in the system (Figure 1). SAP BusinessObjects Process Control comes with two pre-defined regulations: Sarbanes-Oxley and the US Food and Drug Administration (FDA). Access to the respective tabs is granted via assignment of the corresponding portal roles.

Figure 1

SAP BusinessObjects Process Control UI showing the GCO and multiple compliance initiatives as tabs in the second-level navigation

In the GCO, you set up the master data and evaluations such as surveys, manual test plans, and automated controls. You can select from both master data and evaluations in the context of a specific regulation. You maintain the following master data objects in the GCO: organizational structure, risk categories, risks, control objectives, account groups, general ledger accounts, processes, subprocesses, controls, indirect entity-level controls, regulation or policy groups, and regulations or policies.

In addition, you set up relations between them, such as control objective to risk, subprocess to control objective, subprocess to risk, control to risk, account group to risk, subprocess to account group, and regulation to organization. However, processes, subprocesses, and controls aren’t yet associated with organizations in the GCO, but in the context of a given regulation. In the Global Report Center of the GCO, you will find numerous standard reports that can run within or across the regulations set up in your system.

Figure 2 shows the SAP BusinessObjects Process Control UI of a user assigned a portal role, which contains no access to the GCO, but only to the workset for the JSOX regulation. The JSOX workset is comprised of the following work centers (e.g., portal pages) accessible through the detailed navigation on the left pane of the screen: 

• Compliance Structure: Add subprocesses from the central process catalogue created in the GCO to your regulation. Then, assign them to your organizations you previously set in scope for your regulation. You can establish this assignment as a reference or as a local copy of the subprocess. In the latter case, you can change the subprocesses in the context of your local organization without affecting the subprocess in the central process catalogue. Subprocesses assigned as references can’t be changed locally, but allow for leveraging control evaluations from other compliance initiatives. This means you need to perform control evaluations only once and can reference their results for other compliance initiatives, saving time and money.
• Evaluation Setup: Maintain schedules for continuous control monitoring, and plan assessment surveys and compliance testing for subprocesses and controls you assigned to organizations in the context of JSOX. Also, you can track job progress for monitoring and automated testing.
• Evaluation Results: Process open issues and track their remediation resulting from continuous control monitoring, or compliance assessments and testing in the context of the JSOX regulation
• Certification: Plan a sign-off and aggregation-of-deficiencies procedure to trigger workflow tasks for organizations scoped in for the JSOX regulation. Monitor the progress of the sign-off process for your areas of responsibility to support the company’s compliance certifications.
• Report Center: Report on all aspects of your compliance initiative for JSOX. Different from the Global Report Center in the GCO, you can only run reports within your regulation, but not across multiple compliance initiatives.
• User Access: The JSOX Internal Control Manager assigns application roles to users for specific entities granting them access to specific tasks within the J-SOX regulation

Figure 2

User assigned to a portal role containing the My Home and Regulations – JSOX worksets only

Configuration of a New Regulation

Next I’ll focus on how a new regulation such as JSOX is set up in the system. Assume that SAP BusinessObjects Process Control installation and post-installation has already been completed. That includes the activation of the Business Configuration Sets (BC-Sets) containing pre-delivered customizing settings in the SAP BusinessObjects Process Control business client as explained in the SAP installation guide. The configuration comprises a number of steps to be executed in the SAP BusinessObjects Process Control application server (ABAP), in the SAP NetWeaver Portal providing the UI, and in the GCO of the SAP BusinessObjects Process Control application itself. These steps result from the underpinning SAP BusinessObjects Process Control security concept consisting of SAP standard roles, SAP BusinessObjects Process Control application roles, and portal roles. For more details on the security concept refer to the SAP BusinessObjects Process Control Security Guide available in SAP Service Marketplace.

Copy and Generate Application Roles

SAP delivers application roles for the GCO, Sarbanes-Oxley, and FDA regulations. Application roles are maintained in the profile generator transaction PFCG, but are exclusively assigned to users in the respective User Access work center where they establish a triangular relation between an entity, a role, and a user. For example, selecting a particular process first and assigning a user to the Sarbanes-Oxley tester role provides this user with all required authorizations to test controls tied to subprocesses under the selected process. Each application role is associated with one of the following entity levels: corporate, organization, process, subprocess, or control.

You are free to design application roles for the new regulation according to your requirements. In my example of the JSOX regulation, I will copy the SOX application roles. It is not required to change the authorizations in the copied roles, because the customizing settings explained later ensure that a holder of a JSOX role won’t have access to any entities within the SOX regulation and vice versa. The role description field in profile generator determines how the role will appear in the User Access work center for user assignments. Table 1 lists the JSOX application roles copied from the respective pre-delivered SOX roles. Don’t forget to generate the copied roles in the profile generator transaction.

Table 1

Application roles for JSOX regulation copied from respective Sarbanes-Oxley roles

Define the Subtype in IMG Customizing

MCF organization attributes are associated with infotype 5337. For each new compliance initiative you have to create a new subtype. Use transaction SPRO to open the IMG customizing in the SAP BusinessObjects Process Control application server and navigate to the node GRC Process Control > Multiple-Compliance Framework > Define Subtype for Organization Attributes. Use 5X00 (e.g., 5300) for the new subtype for the JSOX regulation (Figure 3).

Figure 3

New subtype 5300 created for JSOX regulation

Configure the New Compliance Initiative

The pre-delivered BC-Sets already contain two fully configured regulation types: Financial Compliance assigned to Sarbanes-Oxley and Operational Compliance assigned to FDA. Each regulation type is associated with specific features such as: 

• Account groups and financial assertions
• Aggregation of deficiencies (AoD)
• Corrective action, preventive action (CAPA) remediation plans with or without eSignature for operational compliance initiatives such as FDA
• Planner tasks relevant for regulation type
• Sign-off process
• Custom fields

A regulation inherits the features associated to the regulation type to which it has been tied. In the IMG, navigate to GRC Process Control > Multiple-Compliance Framework > Configure Compliance Initiative to create and configure new regulation types or assign new regulations to existing regulation types. As the JSOX regulation in this example requires the same features as the Sarbanes-Oxley regulation, you can assign it to the regulation type Financial Compliance. This is done in two steps.

First define a regulation configuration for JSOX using the same subtype you have just created before and for the CR (Crystal Reports) Section ID in the last column, use a single letter that hasn’t been used in other regulation configurations so far (Figure 4). The regulation configuration ID in the first column is later used as an application parameter when creating portal content objects.

Figure 4

Define a regulation configuration for JSOX

Then assign the regulation configuration JSOX to the regulation type Financial Compliance (Figure 5).

Figure 5

Assign regulation JSOX to regulation type Financial Compliance

Maintain Regulation-Role Assignments

In the IMG navigate to GRC Process Control > Authorizations > Maintain Regulation Role Assignment and associate the JSOX application roles created above with an entity level and the regulation configuration for JSOX (Figure 6). Check the Unique User flag for roles assigned to single users only. The JSOX internal control manager role (Z_GRC_SPC_JSOX_ICMAN in Figure 6) is a potential candidate for this flag depending on your requirements.

Figure 6

Associate your JSOX application roles with their entity level and the regulation configuration for JSOX

Maintain Roles to Receive Workflow Tasks

In this customizing activity you configure the application role that determines the users that are recipients of the corresponding workflow activity for each business event in SAP BusinessObjects Process Control. These customizing entries determine the users receiving workflow tasks in their inboxes based on business events (e.g., perform assessment, perform control-risk assessment), entity, and subentity. For example, workflow tasks related to the business event Perform Assessment with entity Assessment (G_AS) and subentity control design assessment (CD) are sent to the holders of the application role JSOX Control Owner, whereas workflow tasks for the same business event and the same entity but subentity Process Design Assessment (PD) are sent to the holder of the application role JSOX Subprocess Owner.

As the JSOX application roles should receive the equivalent workflow tasks sent to the holders of the Sarbanes-Oxley application roles, you can simply copy the pre-delivered settings for the Sarbanes-Oxley application roles and replace the role names accordingly. This leads to the settings in Figure 7 to be added in IMG under the node GRC Process Control > Authorizations > Maintain Roles to Receive Tasks in Workflow. Table 2 provides a description for each abbreviation used in Figure 7.

Figure 7

The holders of the roles receive workflow tasks for the specified business events, entities, and subentities

Table 2

Abbreviations used in Figure 7

Create Portal Content Objects

The SAP BusinessObjects Process Control software includes the following objects for the pre-delivered regulations Sarbanes-Oxley and FDA in the folder Content Provided by SAP > GRC Process Control:

• iViews in the subfolder iViews > WORK CENTER > SOX and FDA
• Worksets Regulation – SOX and Regulation – FDA in the subfolder Worksets > WORK CENTER
• Portal roles GRC Process Control – SOX and GRC Process Control – FDA in the subfolder Roles

In addition, there is a role GRC Process Control – All that contains all worksets including the ones belonging to SOX and FDA. Each workset in this role adds a tab for each regulation to the second-level navigation of the portal as shown in Figure 1.

You need to create the corresponding portal content objects for the new regulation JSOX and extend the GRC Process Control – All role to accommodate the new JSOX workset as an additional tab. Because the JSOX workset and role require the same iViews as the SOX regulation, you can create all portal content objects starting with a copy of the respective SOX object.

Let’s start with a copy of the subfolder iViews > WORK CENTER > SOX. Log on to the SAP NetWeaver Portal as the content administrator. Select the subfolder, right-click to open the context menu, and select Copy (Figure 8).

Figure 8

Create a copy of the subfolder iViews > WORK CENTER > SOX

Then select the WORK CENTER folder, right-click and choose Paste to create a second subfolder SOX. Right-click the new subfolder and select Change ID. As New Object Name, enter JSOX and as New Object ID enter 0WORKSET_REG_JSOX. Don’t change the object ID prefix (Figure 9).

Figure 9

Change the Object Name and Object ID of the copied subfolder SOX

Now, expand the renamed subfolder JSOX and open the first iView to change the application parameter REGULATION to point to the regulation configuration JSOX you defined previously in the IMG settings (Figure 10). Continue likewise with the remaining iViews in the subfolder JSOX.

Figure 10

Change application parameter REGULATION to JSOX for each iView contained in subfolder JSOX

Now you need to create the workset Regulation – JSOX in a similar fashion. Create a copy of the workset Regulation – SOX and change its ID to Regulation – JSOX. Then open it and right-click the first iView listed (Figure 11). Select Edit to change the application parameter REGULATION to point to the regulation configuration JSOX (Figure 12).

Figure 11

Open the workset Regulation – JSOX to change the application parameter REGULATION in each iView contained

Figure 12

Change application parameter Regulation to JSOX

Continue creating a role GRC Process Control – JSOX by copying the analogous SOX role, changing its ID, and replacing the Regulation – SOX workset contained in the role by the Regulation – JSOX workset you have just created.

Finally, open the role GRC Process Control – All, right-click the workset Regulation – JSOX, and choose Add Workset to Role > Delta Link to add the new workset JSOX to the role (Figure 13).

Figure 13

Add the new workset JSOX to the Role GRC Process Control – All

Create a New Regulation in the GCO

Log on with a user holding the Global Regulation Admin role and navigate in the portal user interface to GRC Process Control > Global Compliance Office > Global Compliance Structure > Regulations and Policies (Figure 14). Select the Regulation/Policy Group Financial Compliance and click Create > Regulation Policy to create the JSOX regulation in the application itself. Enter the name and description, and assign the regulation configuration JSOX.

Figure 14

reate the JSOX regulation in the GCO and assign the regulation configuration JSOX

Continue clicking the Organizations tab and add the organizations that are subject to the JSOX regulation (Figure 15).

Figure 15

Assign your organizations that are subject to JSOX

Finally, assign a user to the application role JSOX Internal Control Manager. The user granted with this role will then assign the remaining application roles to business users within the JSOX initiative. Navigate to Regulation – JSOX > User Access and select Corporate and Organization Roles. In the Select Organization Screen of the guided procedure click Next and assign a user to the JSOX Internal Control Manager application role on corporate level (Figure 16).

Figure 16

Assign the JSOX Internal Control Manager application role

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

You may contact the author at frank.rambo@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.